package com.zrrd.blog.comfig;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;

@EnableGlobalMethodSecurity(prePostEnabled = true)//打开方法级别的权限控制
@EnableResourceServer//表示为资源服务器,请求资源接口时，必须在请求头中带access_token
@Configuration
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    private TokenStore tokenStore;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenStore(tokenStore);
    }
    /**
     * 资源服务器的安全配置
     * */
    @Override
    public void configure(HttpSecurity http) throws Exception {
            http.sessionManagement()//采用token进行管理身份，而没有采用session,所以不需要创建HttpSession
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    .authorizeRequests()//请求的授权配置
                    .antMatchers("/v2/api-docs","/v2/feign-docs",
                            "/swagger-resources/configuration/ui",
                            "/swagger-resources","/swagger-resources/configuration/security",
                            "/swagger-ui.html","/webjars/**").permitAll()
                    //放行以/api开头的请求接口
                    .antMatchers("/api/**").permitAll()
                    //所有请求都要有all范围权限
                    .antMatchers("/**").access("#oauth2.hasScope('all')")
                    //其他请求都要身份验证
                    .anyRequest().authenticated();
    }


}
